Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

FBI: Iranian Firm Stole Data In Massive Spear Phishing Campaign

The Department of Justice has announced charges against nine Iranians, affiliated with the Mabna Institute, who are accused of stealing private data from U.S. universities, private companies, and U.S. government departments.

The United States Department of Justice announced charges against nine Iranians accused of stealing private data from U.S. universities, private companies and U.S. government agencies.

FBI Deputy Director David Bowdich said in a statement that the state-sponsored hackers worked for more than four years to steal expensive science and engineering-related research, company trade secrets, and sensitive U.S. government information.

The stolen information was used by the Iranian government or sold for profit, said the FBI. According to the indictment, the hackers stole more than 30 terabytes of academic data– IP that totaled $3.4 billion for the U.S. universities to procure.

The nine hackers, who are currently at large, are affiliated with the Mabna Institute, an Iran-based company created in 2013. The FBI said that this company was created for the “express purpose of illegally gaining access to non-Iranian scientific resources through computer intrusions.”

“Members of the institute were contracted by the Islamic Revolutionary Guard Corps—one of several entities within the Iranian government responsible for gathering intelligence—as well as other Iranian government clients,” according to the U.S. indictment. “The exfiltrated data… were obtained for the benefit of the IRGC, and were also sold within Iran, including through two websites.”

The hackers allegedly targeted five U.S. government entities, including the Department of Labor and the Federal Energy Regulatory Commissions.

They are also accused of targeting 144 U.S.-based universities and 176 foreign universities in 21 countries; as well as 50 private companies, the majority of which were U.S. firms.

Spear Phishing and Intrusion Tactics

The FBI said that the hackers initially used an elaborate spear phishing campaign to successfully target the e-mail accounts and computer systems of more than 8,000 professor accounts.

“Their primary goal was to obtain user names and passwords for the accounts of professors so they could gain unauthorized access and steal whatever kind of proprietary academic information they could get their hands on,” said the FBI’s statement.

Hackers would first research professors’ interests and the academic articles they had published, and then sent spear phishing emails to those targets.

The emails, which appeared to be from professors at other universities, tricked many of the victims to click on links that recorded their keystrokes when they signed into what they thought were their secure university domains. In actuality these linked domains were bogus sites controlled by the hackers.

In addition to spearphishing, hackers also began targeting various U.S. federal agencies using a method where they collected lists of names and e-mail accounts through open-source internet searches. The hackers then guessed users’ passwords, hoping that some users never changed default company passwords or used common ones such as “password123,” the FBI said.

Bowdich said that the victims have been notified so that they could take action to minimize the impact.

Mark Orlando, chief technology officer for cyber services at Raytheon, said it was shocking how simple it was for attackers to use these methods to compromise systems.

“For the universities, all they had to do was email professors, say how much they liked their work, and trick them into clicking over to a fake login page,” he said. “For the other targets, they simply collected e-mail addresses and guessed the passwords.”

The UK National Cyber Security Centre (NCSC) on Monday joined the U.S. in condemning the alleged attacks, particularly relating to universities based in the UK.

NCSC assesses with high confidence that the Mabna Institute were almost certainly responsible for cyber attacks targeting universities around the world, including in the UK https://t.co/I9qvz6GLeg

“The UK Government judges that the Mabna Institute based in Iran was responsible for a hacking campaign targeting universities around the world. By stealing intellectual property from universities, these hackers attempted to make money and gain technological advantage at our expense,” said Cyber Foreign Office Minister Tariq Ahmad in a statement.

In a statement on Friday, the Iran Foreign Ministry condemned the sanctions: “Indubitably, the US will not be able to use such ploys to stop or prevent Iranian people’s scientific progress,” said Bahram Qassemi on the Iran Foreign Ministry’s website.

Tensions are heating up between Iran and U.S. around cybersecurity. In September, FireEye claimed that an Iranian group called APT33 was behind a cyberespionage campaign – also using the spear phishing method – targeting aerospace, petrochemical and energy sector firms in the U.S., as well as Saudi Arabia and South Korea.

“Nation-state hackers will attack anyone and anything they think will help them infiltrate our institutions and infrastructure, so this is a clear call for everyone to get serious about cyber hygiene and realize they, too, can be a target,” said Orlando.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.